Fuzzer Patch(es)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Fuzzer Patch(es)

Tom Ritter
NCC Group has prepared (or begun preparing) a patch that integrates fuzzing of OpenSSL.  This work was done primarily by Tim Newsham, although the code is based on selftls by Hanno Böck, and it was modified by me to fit into the OpenSSL tree. The general messiness is caused by me, not Tim.

Rather than attach a giant patch, I put it up here: https://github.com/nccgroup/openssl/tree/ncc-fuzzer

It consists of three parts:

- Expansive changes to the ossltest engine to support (broken) RSA and many more (broken) symmetric ciphers
- Two function additions to OpenSSL that, when compiled with FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION, insert deterministic timestamps into the TLS protocol
- The ftls fuzz harness that speaks TLS to itself and allows for fuzzing any individual client or server message in the handshake


This has only been tested on Linux x64 so far. I have had some trouble getting some parts working, but the fuzzing does commence.

tar xfv afl-<tab>
ln -s afl-2<tab> afl
cd afl ; make ; cd ..
git clone [hidden email]:nccgroup/openssl.git ncc-fuzzer
cd ncc-fuzzer
git checkout ncc-fuzzer
CC=../afl/afl-clang ./Configure linux-x86_64 -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers enable-crypto-mdebug enable-asan enable-afl-fuzz
(Optional: Edit Makefile and change '-O3' to '-O0' and '-g' to '-ggdb'.  I couldn't figure out how to make this part of the Configure command.)
make
(Ignore errors at the end for code in test/fuzz)
cd test/ftls
ln -s ../../../afl-2<tab> afl
make all
./genCerts
./makeInputs
LD_LIBRARY_PATH=../../ ./afl/afl-fuzz -i inputs -o outputs -m 99999999999999 -- ./ftls-afl


There are few pieces that I was unable to get working correctly:

1) The ossltest engine needs to have libcrypto statically linked into it. ftls has openssl libraries statically linked into them for ASAN+AFL fuzzing, but ossltest wants them loaded dynamically.  The correct thing to do is compile ossltest with libcrypto linked statically, but I could not figure out the correct way to represent that with the build.info configurations. http://stackoverflow.com/a/2649792 seems to be the correct instructions for the compiler/linker.

Until this is fixed, the above LD_LIBRARY_PATH=../../ is needed.

2) I had trouble compiling with 'enable-asan' unless I used clang. gcc gave me problems.

3) I got compilation errors for code in test/ when compiling with enable-afl-fuzz; however the important stuff compiled.  

4) ERR_load_OSSLTEST_strings() in the original e_ossltest.c was causing a Segfault (under ASAN) on exit, so I commented it out.

5) The original version of ftls by Tim included support for compiling and fuzzing on 32-bit and also getting gcov-based profiling information. While references and stubs to this are still in the Makefile, I wasn't able to fully investigate and get those aspects of it working

6) There are some memory leaks that are exposed when you run ./makeInputs - I tracked most of them down, but a few remained. I believe these are from ftls and not OpenSSL.


This fuzzer hits lots of things, but there are lots more things in OpenSSL.  It has the following limitations:
- It doesn't support all the possible features of TLS. But it does support a lot of them. (makeInputs lists many things not completed at the end of the file)
- The ossltest engine does not include support for removed ciphers like DES, RC2, or GOST. However, there are some mentions/stubs of that, as the fuzzer was written before all of these things were removed from 1.1
- Because ossltest cooks MD5 to output a constant value, OpenSSL's RNG becomes constant. This causes an error in ssl/ssl_sess.c:generate_session_id() because it always generates a colliding Session ID. This breaks renegotiation in the test harness. I haven't thought of an elegant way to resolve this.


My ability to continue this effort is going to be extremely limited in the upcoming weeks, so I'm hopeful a community member will help us bring this across the finish line if OpenSSL is (still) interested in having this work merged into master.

-tom

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Fuzzer Patch(es)

Matt Caswell-2


On 25/08/16 22:33, Tom Ritter wrote:

> NCC Group has prepared (or begun preparing) a patch that integrates
> fuzzing of OpenSSL.  This work was done primarily by Tim Newsham,
> although the code is based on selftls by Hanno Böck, and it was modified
> by me to fit into the OpenSSL tree. The general messiness is caused by
> me, not Tim.
>
> Rather than attach a giant patch, I put it up here:
> https://github.com/nccgroup/openssl/tree/ncc-fuzzer
>
> It consists of three parts:
>
> - Expansive changes to the ossltest engine to support (broken) RSA and
> many more (broken) symmetric ciphers
> - Two function additions to OpenSSL that, when compiled with
> FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION, insert deterministic
> timestamps into the TLS protocol
> - The ftls fuzz harness that speaks TLS to itself and allows for fuzzing
> any individual client or server message in the handshake
>
>
> This has only been tested on Linux x64 so far. I have had some trouble
> getting some parts working, but the fuzzing does commence.
>
> wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
> tar xfv afl-<tab>
> ln -s afl-2<tab> afl
> cd afl ; make ; cd ..
> git clone [hidden email]:nccgroup/openssl.git ncc-fuzzer
> cd ncc-fuzzer
> git checkout ncc-fuzzer
> CC=../afl/afl-clang ./Configure linux-x86_64
> -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION enable-ssl3
> enable-ssl3-method enable-weak-ssl-ciphers enable-crypto-mdebug
> enable-asan enable-afl-fuzz
> (Optional: Edit Makefile and change '-O3' to '-O0' and '-g' to '-ggdb'.
> I couldn't figure out how to make this part of the Configure command.)
> make
> (Ignore errors at the end for code in test/fuzz)
> cd test/ftls
> ln -s ../../../afl-2<tab> afl
> make all
> ./genCerts
> ./makeInputs
> LD_LIBRARY_PATH=../../ ./afl/afl-fuzz -i inputs -o outputs -m
> 99999999999999 -- ./ftls-afl
>
>
> There are few pieces that I was unable to get working correctly:
>
> 1) The ossltest engine needs to have libcrypto statically linked into
> it. ftls has openssl libraries statically linked into them for ASAN+AFL
> fuzzing, but ossltest wants them loaded dynamically.  The correct thing
> to do is compile ossltest with libcrypto linked statically, but I could
> not figure out the correct way to represent that with the build.info
> <http://build.info> configurations. http://stackoverflow.com/a/2649792
> seems to be the correct instructions for the compiler/linker.
>
> Until this is fixed, the above LD_LIBRARY_PATH=../../ is needed.
>
> 2) I had trouble compiling with 'enable-asan' unless I used clang. gcc
> gave me problems.
>
> 3) I got compilation errors for code in test/ when compiling with
> enable-afl-fuzz; however the important stuff compiled.  
>
> 4) ERR_load_OSSLTEST_strings() in the original e_ossltest.c was causing
> a Segfault (under ASAN) on exit, so I commented it out.
>
> 5) The original version of ftls by Tim included support for compiling
> and fuzzing on 32-bit and also getting gcov-based profiling information.
> While references and stubs to this are still in the Makefile, I wasn't
> able to fully investigate and get those aspects of it working
>
> 6) There are some memory leaks that are exposed when you run
> ./makeInputs - I tracked most of them down, but a few remained. I
> believe these are from ftls and not OpenSSL.
>
>
> This fuzzer hits lots of things, but there are lots more things in
> OpenSSL.  It has the following limitations:
> - It doesn't support all the possible features of TLS. But it does
> support a lot of them. (makeInputs lists many things not completed at
> the end of the file)
> - The ossltest engine does not include support for removed ciphers like
> DES, RC2, or GOST. However, there are some mentions/stubs of that, as
> the fuzzer was written before all of these things were removed from 1.1
> - Because ossltest cooks MD5 to output a constant value, OpenSSL's RNG
> becomes constant. This causes an error in
> ssl/ssl_sess.c:generate_session_id() because it always generates a
> colliding Session ID. This breaks renegotiation in the test harness. I
> haven't thought of an elegant way to resolve this.
>
>
> My ability to continue this effort is going to be extremely limited in
> the upcoming weeks, so I'm hopeful a community member will help us bring
> this across the finish line if OpenSSL is (still) interested in having
> this work merged into master.

Wow! Thanks Tom and Tim. This is fantastic. I really hope someone picks
this up - this would be great to get integrated.

Matt

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Fuzzer Patch(es)

Benjamin Kaduk
In reply to this post by Tom Ritter
On 08/25/2016 04:33 PM, Tom Ritter wrote:
NCC Group has prepared (or begun preparing) a patch that integrates fuzzing of OpenSSL. 

Exciting stuff, most of which I will ignore for now and ask a targeted question.

- Because ossltest cooks MD5 to output a constant value, OpenSSL's RNG becomes constant.

Is it specifically MD5 and not SHA1?  That would be worrisome, as I thought rand_lcl.h would be setting up for USE_SHA1_RAND by default, not md5.

-Ben

This causes an error in ssl/ssl_sess.c:generate_session_id() because it always generates a colliding Session ID. This breaks renegotiation in the test harness. I haven't thought of an elegant way to resolve this.



--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: Fuzzer Patch(es)

Tom Ritter


On 26 August 2016 at 11:33, Benjamin Kaduk <[hidden email]> wrote:
- Because ossltest cooks MD5 to output a constant value, OpenSSL's RNG becomes constant.

Is it specifically MD5 and not SHA1?  That would be worrisome, as I thought rand_lcl.h would be setting up for USE_SHA1_RAND by default, not md5.

No, that was an offhand comment - it produces a constant output for most hash functions: MD5, SHA-1, SHA256, 384, and 512.

-tom

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev